by

Lori A. Richards

Director, Office of Compliance Inspections and Examinations
U.S. Securities and Exchange Commission

March 29, 2006

As a matter of policy, the SEC disclaims responsibility for any private statement by an employee. The views expressed here today are my own and do not necessarily reflect those of the Commission, the Commissioners or other members of the staff.

Good afternoon. I am so pleased to be here today. I want to thank Alan Sorcher and the SIA's Anti-Money Laundering Committee for organizing this valuable event and for inviting me back to speak with you once again regarding anti-money laundering ("AML") compliance.

In thinking about this conference, I was amazed to realize that it's been five years since I first spoke to this group regarding AML compliance - way back in May 2001!1 We've come a long way in that time period. After all, the SIA's first AML conference took place before the terrible events of September 11, 2001, and well before the USA PATRIOT Act2 and its implementing regulations came into being.

Today, we're all AML "veterans" - - that is, AML compliance has entered a more mature phase. Regulations have been issued; basic AML programs should be in place; firm employees should have received their AML training; and firms should be identifying and addressing suspicious activity. From a regulatory perspective, the SEC and the SROs have largely finished a first round of AML examinations and now are beginning to take a "second look" at firms' AML programs. We're now all faced with the ongoing challenges of AML compliance. Along with all of the technical issues and complexity of AML work, one of our challenges is to not lose sight of our ultimate goal -- to deter money launderers and terrorist financiers from using U.S. securities firms and to detect those who do. As we're in the trenches in this work every day, we must also keep our ultimate goal, and the importance of our work, clearly in mind.

I'd like to begin today with some observations regarding AML in the broader compliance context. In some ways, AML compliance is no different from compliance with other obligations: there are legal requirements that firms must meet, firms must understand how those obligations apply to their operations, must train employees and ensure that they are supervised in meeting those obligations, and must implement processes to aid compliance and detect and remedy any violations. Independent auditors review for compliance and regulators examine for it. In all these respects, compliance with AML rules is no different than compliance with the net capital rules, or rules requiring that firms seek the "best execution" of client securities trades. My point is that there are basic steps to compliance with any rule, and AML compliance is no different.

But, AML compliance is also different in several significant respects.

First, there is a new "rulebook" - or should I say, a new chapter in the AML rulebook. In addition to securities-related statutes and rules, there are new Treasury rules as well as OFAC lists and requirements.3 Firms must identify, monitor, and educate themselves regarding these new rules and requirements. This can be quite a challenge, I know. Often, these AML rules and other requirements do not appear side-by-side with the more traditional securities law requirements that firms are accustomed to dealing with, and OFAC lists and requirements change on a regular basis.

But there is a more profound difference. AML compliance requires firms to look beyond "bright-line" legal requirements. Unlike securities-law requirements that may focus on a discrete area of a firm's business, AML compliance requires firms to ask questions and make assessments -- from an overall, comprehensive perspective. AML compliance often involves a "red flag" approach to identifying risks based on the firm's customers, geography, business model and other factors. This is markedly different than the more traditional rule-based compliance focus. AML compliance first requires an overall picture, so you can discern the forest from the trees. I call this approach: looking at "the 'total mix,'" to borrow a phrase from landmark Supreme Court securities decisions.4 Determining what is, and what is not "suspicious" in the AML context necessitates an assessment of all of the information available throughout the firm -- a comprehensive, coordinated "total mix" environment. This is why the flow of information within firms is so important - and why firms should be alert to whether and how important information makes its way through the firm.5

And, in the AML area perhaps as in no other, the AML Officer or AML group needs to have information from, and interact with, all relevant parts of the firm in order to identify and detect red flags. Often, it may be that suspicious activity is only identified with several pieces of the puzzle. Firm procedures must facilitate these pieces coming together. If Trading isn't talking to Legal, and New Accounts isn't talking to Compliance, and Operations and "back office" staff talk to no one, and if these disparate areas of the firm are not also connecting with the AML people, then a firm's AML program can't be effective.

From an AML regulatory perspective, regulators also need to look at the whole picture and take a coordinated, integrated approach. For us, the "total mix," of regulators includes the SEC and the SROs, as well as Treasury, FinCEN, and OFAC. We all need to make unprecedented efforts to communicate and coordinate with each other, to keep up with AML regulatory and enforcement developments on all sides. While the SEC's oversight responsibilities for the SROs mandate a certain baseline level of communication and joint regulatory action, I'm very pleased to report that the SEC and SROs have taken coordination and cooperation in the area of AML to new levels. We meet and confer regularly to discuss examination trends, regulatory issues and enforcement matters. We conduct joint examinations and training for examiners. Our AML examination scopes are similar, and to further promote consistency, we have formed a task group to harmonize our AML examination procedures. It is our goal to roll this out this summer.

And, as regulators, we too must look at the broader picture. Because many regulated securities firms are now also affiliated with banks and bank holding companies, we also consult, share information and, as appropriate, conduct joint examinations with the federal bank regulators. This all helps to ensure that AML compliance doesn't "fall between the cracks" of regulatory boundaries, and also promotes consistency in interpretations and examination coverage across different industries.

With these observations in mind, I want to share with you a few important issues that have come up in AML examinations recently. As you will see, we've moved beyond the basics. Examiners are now looking at such issues as: how a firm considers its enterprise-wide functions and risks, including its branch offices and foreign business relationships; the impact of new business acquisitions and outsourced activity on firms' AML compliance programs; AML in the introducing-clearing relationship; relationships with foreign financial institutions; and finally, AML training. As you can see, these areas of examination inquiry reinforce the theme of looking at how the "total mix" of a firm's activities may impact the effectiveness of its AML program. I also wanted to share a few tips with you to help you prepare for some likely examination questions in these areas.

Enterprise-Wide AML. I'll begin with what I call "enterprise-wide" AML issues and concerns. As you all know, the securities industry is composed of a wide variety of firms, from the one-person shop operating from a kitchen table and a laptop to the huge, multinational conglomerates. The "financial supermarket" firms may have one or more commercial banks, insurance companies, mutual fund complexes, investment banks, futures firms and broker-dealers under their umbrellas. Many of these large and organizationally diverse firms have created a global AML group to manage the AML program across all affiliates in the group.

Examiners are finding that some firms of different sizes and types may not be looking at their whole business -- on an enterprise-wide basis -- when crafting and implementing their AML programs. In particular, examiners have identified issues regarding the coverage of branch offices, outsourced activities and new business activities. Let me describe what I mean in each area.

AML at Branch Offices: U.S. securities firms operate all over the United States, as well as all over the world. Indeed, in the U.S., broker-dealers have more than 115,000 branch offices, from Honolulu to San Juan. No matter how far away from the home office, branches should be a focus of your program. The personnel in the branches often have the closest relationships with customers, and are often in the best position to detect "red flags." A firm's AML Officer should have information from and strong lines of communications with the firm's branches. If your firm has branch offices, you can anticipate examiner questions regarding how the firm's branch offices are covered by the firm's AML program.

Outsourcing: If your firm is looking to an affiliate or another third-party service provider to perform certain AML functions, your firm is, and remains, responsible for ensuring that these functions are effectively performed. As we all know, the Customer Identification Program requirements is the only area where Treasury has outlined conditions specifying how firms can legally rely on another party.6 In other areas, if a firm is outsourcing an AML function to another entity, the firm can't just hope like heck that it's getting done. You must be vigilant and check up on the relationship. Examiners will also be checking.

Mergers and Acquisitions: The landscape of the securities industry is ever-changing by mergers and acquisitions and other business combinations among firms. Examiners have found instances where firms that have merged with or acquired other firms may have neglected to consider the impact of the combination on the firm's AML program. It's essential to devote resources and energy to ensure that the AML programs at the different entities are merged in a sound, workable way. Here are a few basic questions that firms might ask themselves in the M&A context:

Has our risk profile changed as a result of this new business?

Have our customer base, transaction mix, or other factors changed to make our existing AML program and systems obsolete?

- Do we have a different geographic presence that should be addressed?

- Should we undertake enhanced training to ensure that new and existing employees are all up to speed?

- Is there sufficient continuity with respect to suspicious activity detection and reporting and other legal obligations?7

Suspicious Activity Monitoring, Detection and Reporting. Since this area is really the cornerstone of firms' AML programs, it receives a fair amount of attention from examiners. Here are some of the issues that have arisen in the examination context, and some steps that firms might take to enhance compliance in this area:

Aggregation of Information: Examiners are finding that some firms' automated systems may not be aggregating information in a way that gives the firm a full picture of a customer's flow of funds. When firms review their automated systems, they should ask: Do we take into account our "total mix" of risk factors? For example, do our surveillance systems pick up, and aggregate as appropriate, all relevant activity including wires, check writing, employee transactions and proprietary trading?

Documentation: So much of the AML landscape is grounded in documentation. Because AML is risk-based, examiners will look for documentation of a firm's decision-making process. Generally, if you demonstrate that your firm devotes sufficient resources to your suspicious activity monitoring, detection and reporting program; your investigations are conducted and resolved in a timely manner; and those decisions are well documented, you should not be second-guessed by examiners.

AML in the Introducing-Clearing Context. Another important focus area for SEC and SRO examinations is the relationship between introducing and clearing firms. In many ways, clearing firms are some of the biggest players in the fight against money laundering and terrorist financing. They typically have the most resources and sophisticated systems. They see the highest volume of securities transactions and money flowing through accounts. They file the most SARs. On the other hand, introducing brokers may have the most direct contact with customers on a day-to-day basis.

Examiners have in some instances found a lack of communication between introducing and clearing firms, and this is the area where we see the most "finger pointing" occurring - with a back and forth kind of dialogue that sounds like: "you are responsible; no, you are responsible; no you are responsible…" Obviously, this dynamic is not likely to result in good compliance. Broker-dealers can expect that examiners will ask about the introducing-clearing relationship. In particular, examiners will ask about the lists of exception reports provided by the clearing firm,8 and how or if they are being used by the introducing firm. The message in this area should be clear-- an introducing and clearing firm that together effect securities transactions -- need to work together to meet their AML obligations.

Doing Business with Foreign Financial Institutions. This is an area that has received a lot of attention lately. In examinations, we've seen indications that some broker-dealers have foreign financial institutions as customers, and they aren't even aware of it. With Treasury's new and proposed rules under Section 312, and the problems identified in the Hartsfield case, as well as many settlements in the banking area, you can expect continued focus on this important area in SEC and SRO examinations.9 Firms should be able to demonstrate that they have identified and tracked their customers that fall into the definition of "foreign financial institution."10

Training - It Never Goes Out of Style. We all know that employee training is an essential, and indeed, required part of every AML program.11 Most firms have implemented basic training programs, and certainly there's a cottage industry of vendors out there in the AML training space. Here's a caution: examiners are finding that some firms are using "one size fits all" employee training programs that don't seem to be effectively tailored for the firm. Make sure that your AML training program is really useful to your employees and is customized to the firm's business and its risks.

Examiners will consider whether the substance of the firm's training program is appropriately customized to the firm's business model and risk profile. They will ask to see copies of training materials, and to see indications that employees attended the training -- in particular, they will want to see that key employees, such as those responsible for processing wires and new account information and AML officers and staff, have been trained on AML and OFAC issues.

***

As I said at the outset, in the five years since I first spoke to this group, we've come a long way, and AML compliance has entered a more mature phase. In the last few years, regulators and industry firms have worked hard to implement strong AML programs. I want to take a moment to tip my hat to a few key players. The SEC could not possibly do its job in this area without the efforts of Mike Rufino and Sheila Haney at the NYSE and Emily Gordy, Alma Angotti, George Walz and Muffie Humphrey at the NASD. And of course, where would we be without our partners at FinCEN and OFAC? The SEC and SROs have been working closely with them on regulatory, examination and technical issues. I would like to welcome Bob Werner to his new post as FinCEN Director. Coming from OFAC, he is no stranger to us, and we look forward to continuing to work with him at FinCEN. And, at the SEC, Karen Burgess, Katrina Carroll and David Blass are true assets in the AML field.

I also want to recognize you, as AML professionals in the securities industry, for your important contributions to this collective effort. The AML rules and regulations are written to make financial institutions serve as the "first line of defense" in the fight against money laundering and terrorist finance. Industry representatives contribute to the unified AML effort by participating in the work of the Bank Secrecy Act Advisory Group, where they sit side-by-side with staff from the SEC, SROs, Treasury and FinCEN. Most importantly, based on our AML examination experience, we know that firms are taking AML seriously and that you are engaged. We have received thoughtful, intelligent questions that show us that firms are focused on important issues and want to do the right thing. Keep on asking questions, keep on talking with us about these issues. The dialogue between securities firms and regulators is a positive thing, and we are headed in the right direction.

5Firms need to avoid the "silo problem" that was evidenced by the AmSouth Bank case. SeeIn the Matter of AmSouth Bank, Financial Crimes Enforcement Network, Assessment of Civil Monetary Penalty, No. 2004-2 (October 12, 2004). See alsoIn the Matter of AmSouth Banking Corp. and AmSouth Bank, Bd. of Governors of the Fed. Res. Syst. and the Alabama Dept. of Banking, Cease and Desist Order and Order of Assessment of a Civil Monetary Penalty (October 12, 2004) (the bank's internal controls were not sufficiently integrated and key information was not provided to the AML compliance group to foster informed decision-making).

7See 31 C.F.R. 103.19. See also 31 C.F.R. 100 (requiring that firms designate a recipient for information requests from law enforcement, check their records in response to any such requests and report any positive matches).

8See NYSE Rule 382, which requires, among other things, clearing brokers to provide a list of available exception reports to introducing brokers.